Simon Perreault wrote:
Le 2013-09-23 13:25, Hani Mustafa a écrit :
Most vendors (including aforementioned vendors) have mostly just hoped that the entire industry is going to move to SIP and also placed their bets there, hoping that all the security problems with H.323 authentication would go away.
[...]
As long as nobody verifies TLS certificates, I don't see how the situation can change for either SIP or H.323.
Exactly my point: Lets use TLS and check the certificates as closely as we can.
GnuGk currently checks the certificates signature (either against your own CA or the public CAs you configure) and can also check if the IP the call comes from matches the certificate.
Everybody is invited to check the source code if I do it right and is encouraged to implement similar checks in other endpoints, gateways or gatekeepers!
See Toolkit::MatchHostCert() in Toolkt.cxx http://openh323gk.cvs.sourceforge.net/viewvc/openh323gk/openh323gk/Toolkit.c...
Regards, Jan